In the WiMAX Forum (WMF) Networking group (NWG), the network architecture specifications for mobile broadband networks according to the 802.16 specifications of the IEEE are developed, for example as in [nwg-stage3]. The Release 1.0, Release 1.5 and Release 1.6 network specification releases are based on the 802.16-2009 or earlier specifications of IEEE for a pure radio link.
However, these specifications (both the NWG specifications and the radio specifications of IEEE) do not include means for protecting or hiding the identity of a mobile device or mobile station (MS) that may be in the form of a MAC address.
The radio interface specifications according to the specification 802.16m, which succeed 802.16-2009, provide means to protect the MS identity over the air, that is, between the MS and the base station (BS) in the access network.
The specification 802.16m does not cover any network-side behaviour but rather only the behaviour over the wireless link. However, a typical WiMAX network following [nwg-stage3] consists of a number of different network elements and network functions, so any mechanism that is just described between a mobile device and a base station cannot work in practice. Also, technically it is not obvious how to solve MS identity privacy within the WiMAX network and especially within the access network (ASN) based on the method described above for the radio link. This method, if combined with a network following [nwg-stage3], would break ASN operation, and most likely terminate communication between the mobile station and the network.
In specification 802.16m, the MS when initially entering the network sends an AMSID* to the network in message 1 that is a 48-bit hash value. The BS stores this value and assigns a temporary ID TSTID to the MS that is returned in message 2.
The MS and BS then use the additional TSTID as the MS identity on the radio interface during the EAP authentication procedure in all related layer-2 messages that are exchanged between MS and BS. Also for the radio link authentication and security establishment using the PKMv3 protocol the TSTID is used in addition to the AMSID*.
As soon as the radio link can be encrypted with a successful PKMv3 exchange, the real MS identity AMSID is sent by the MS to the BS and the BS assigns a STID that will be used as MS identifier for all subsequent communication.
In addition, the network will securely verify based on cryptographic methods that the AMSID* used by the MS at the beginning belongs to the same MS with the real AMSID.
The above method does not cover network internal operation. It does not reflect the fact that a WiMAX access network consists of a BS, ASN-GW. Also, it is not considered that the authentication decision for network access is taken by the AAA server that terminates EAP authentication and may need to verify the MS MAC address received in different messages, or may need to verify the received MS MAC address against information stored in the subscription profile.
Furthermore, if implemented as described by 802.16m, the above described procedure would break ASN communication during network entry within the WiMAX ASN across the R6 reference point. According to [nwg-stage3] the control messages across the R6 reference point, which are related to a specific MS, use the MS identity as central identifier. If the MS identifier changes for the MS (AMSID*/TSTID changed to AMSID/STID as described above) this breaks the whole context for the MS and will likely result in the MS not being able to access the network.
Currently there is no specification available or any known method that enables the identity of a mobile station in the specification 802.16m to be hidden in a WiMAX network, especially within the ASN.
Therefore a method is required, whereby the identity and privacy of a mobile station in a WiMAX network may be protected.